Vulnerability Name:

CVE-2007-3503 (CCN-35168)

Assigned:2007-06-28
Published:2007-06-28
Updated:2018-10-26
Summary:The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML documentation pages that contain cross-site scripting (XSS) vulnerabilities, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2007-3503

Source: BEA
Type: Third Party Advisory
BEA07-177.00

Source: CCN
Type: Apple Web site
About the security content of Java Release 6 for Mac OS X 10.4

Source: MISC
Type: Third Party Advisory
http://docs.info.apple.com/article.html?artnum=307177

Source: APPLE
Type: Mailing List, Third Party Advisory
APPLE-SA-2007-12-14

Source: OSVDB
Type: Broken Link
36488

Source: CCN
Type: RHSA-2007-0818
Critical: java-1.5.0-sun security update

Source: CCN
Type: RHSA-2007-0829
Critical: java-1.5.0-ibm security update

Source: CCN
Type: RHSA-2007-0956
Moderate: java-1.5.0-bea security update

Source: CCN
Type: SA25769
Sun JDK JavaDoc Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: Third Party Advisory
25769

Source: SECUNIA
Type: Third Party Advisory
26314

Source: SECUNIA
Type: Third Party Advisory
26369

Source: CCN
Type: SA26631
BEA JRockit Multiple Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
26631

Source: SECUNIA
Type: Third Party Advisory
26645

Source: SECUNIA
Type: Third Party Advisory
26933

Source: SECUNIA
Type: Third Party Advisory
27203

Source: CCN
Type: SA28115
Mac OS X Java Multiple Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
28115

Source: CCN
Type: SECTRACK ID: 1018327
Sun JavaDoc Input Validation Hole Permits Cross-Site Scripting Attacks

Source: CCN
Type: Sun Alert ID: 102958
Cross-site Scripting Vulnerability (XSS) Affecting Pages Generated with JavaDoc Tool

Source: SUNALERT
Type: Broken Link
102958

Source: CCN
Type: ASA-2007-335
Cross-site Scripting Vulnerability (XSS) Affecting Pages Generated with JavaDoc Tool (Sun 102958)

Source: CCN
Type: ASA-2007-336
java-1.5.0-sun security update (RHSA-2007-0818)

Source: CCN
Type: ASA-2007-343
java-1.5.0-ibm security update (RHSA-2007-0829)

Source: CCN
Type: ASA-2007-465
java-1.5.0-bea security update (RHSA-2007-0956)

Source: CCN
Type: GLSA-200709-15
BEA JRockit: Multiple vulnerabilities

Source: GENTOO
Type: Third Party Advisory
GLSA-200709-15

Source: CCN
Type: OSVDB ID: 36488
Sun Java JDK JavaDoc HTML Documentation Page XSS

Source: REDHAT
Type: Third Party Advisory
RHSA-2007:0818

Source: REDHAT
Type: Third Party Advisory
RHSA-2007:0829

Source: REDHAT
Type: Third Party Advisory
RHSA-2007:0956

Source: BID
Type: Third Party Advisory, VDB Entry
24690

Source: CCN
Type: BID-24690
Sun JavaDoc Tool Cross-Site Scripting Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1018327

Source: VUPEN
Type: Third Party Advisory
ADV-2007-2383

Source: VUPEN
Type: Third Party Advisory
ADV-2007-3009

Source: VUPEN
Type: Third Party Advisory
ADV-2007-4224

Source: XF
Type: Third Party Advisory, VDB Entry
sun-jdk-javadoc-xss(35168)

Source: XF
Type: UNKNOWN
sun-jdk-javadoc-xss(35168)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:10704

Source: CCN
Type: BEA07-177.00
Multiple Security Vulnerabilities in the Java Runtime Environment

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:jdk:1.5.0:update11:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.6.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:sun:jdk:1.6.0:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update10:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update11:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update1:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update2:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update3:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update4:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update5:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update6:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update7:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update8:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.5.0:update9:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jrockit:r27.3.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:22641
    P
    ELSA-2007:0956: java-1.5.0-bea security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:21855
    P
    ELSA-2007:0829: java-1.5.0-ibm security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:10704
    V
    The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML documentation pages that contain cross-site scripting (XSS) vulnerabilities, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
    2010-09-06
    oval:com.redhat.rhsa:def:20070956
    P
    RHSA-2007:0956: java-1.5.0-bea security update (Moderate)
    2007-11-29
    oval:com.redhat.rhsa:def:20070829
    P
    RHSA-2007:0829: java-1.5.0-ibm security update (Critical)
    2007-08-07
    BACK
    oracle jdk 1.5.0 update11
    oracle jdk 1.6.0
    sun jdk 1.6.0
    sun jdk 1.5.0 update10
    sun jdk 1.5.0 update11
    sun jdk 1.5.0
    sun jdk 1.5.0 update1
    sun jdk 1.5.0 update2
    sun jdk 1.5.0 update3
    sun jdk 1.5.0 update4
    sun jdk 1.5.0 update5
    sun jdk 1.5.0 update6
    sun jdk 1.5.0 update7
    sun jdk 1.5.0 update7_b03
    sun jdk 1.5.0 update8
    sun jdk 1.5.0 update9
    gentoo linux *
    redhat rhel extras 4
    oracle jrockit r27.3.1